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April 15,1999 


RE: (U) "MOONLIGHT MAZE” 

RECENT DEVELOPMENTS • 

(U) On 4/2/1999, the Moonlight Maze Coordination Group (MMCG) deploy ed a team to 
Moscow, Russia, | The team 

consisted of the case agent from FBI Baltimore, a language specialist from FBI San Francisco, a 
supervisory special agent from FBIHQ, a representative from NASA and two representatives 
from Air Force Office of Special Investigations,. 
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The MMCG team discussed the details of the intrusio ns previously identified by the 

The MMCG briefed several 


Jinvestigators on the details of the case and requested assistance to determine the origin of 


the intrusions. The team discussed connection data from five computer intrusions involving 
systems from the Army, Navy. NASA, and a commercial Internet Service Provider (ISP'). 
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(U|_[provided the team with a memorandum, of which a transcribed copy is 

attached to this note, which explained that they would present the evidence to the Prosecutor's 
Office for a decision about opening a criminal case. 

_OJ) The M MCG retur ned from Moscow on 4/10/1999. On 4/15 /1999, ALAl] I 

_ contacted! _ Ito obtain an update on their investigation. I 

_During the week of | 

have advised the Leea t that they will provide him with the intruder's identity after they brief 
_replacement and obtain his approval. 

1U) j^NF) Deputy Assistant Director T is scheduled to meet with the NIPC's 

Interagency Senior Coordinating Group on Monday 4/19/1999, to update them on the MMCG's 
activities and obtain information from the intelligence community about any recent intelligence 
collection concerning this matter. 

BACKGROUND 

(U) "MOONLIGHT MAZE" is the code name for a number of investigations of 
intrusions into various military, governmental, educational and other computer systems in the 
United States, United Kingdom, Canada, Brazil and Germany. Field investigations are being 
conducted by the Albuquerque, Baltimore, Cincinnati, Jackson, New Orleans, and Springfield • 
Divisions as Offices of Origin and the Atlanta, Boston, Charlotte, Detroit, Indianapolis, 
Jacksonville, Knoxville, Mobile, New York, Pittsburgh, Salt Lake City, San Francisco, and 
Washington Field Divisions as Lead Offices. The National Infrastructure Protection Center 
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(NIPC) is coordinating these investigations with investigators from the Air Force Office of 
Special Investigations, Army, Naval Criminal Investigative Service, Defense Criminal 
Investigati ve Service. National Aeronautics Space Administration. Departm ent Of Energy, Re 
well as thel I The NIPC is also 


_| The NIPC has 

ensured that Legats London, Moscow and Ottawa are advised of the investigation in their 
respective territory. 


(U) These investigations were initiated when intrusions were discovered at Wright 
Patterson Air Force Base (WPAFB), Ohio, and the Army Research Laboratory (AJRL), Maryland, 
and other unclassified military systems, as well as various governmental, commercial and 
educational computer systems in the United States. 



(U) Intrusions into DOE systems include intrusion activity at Los Alamos National 
Laboratory (LANL), Sandia National Laboratory (SNL), Lawrence Livermore National 
Laboratory (LLNL), and Brookhaven National Laboratory. DOE's Computer Incident Advisory 
• Capability (CIAC) has been active in this incident. Activity on DOE systems has been confined 
to unclassified networks. 








(U) On 1/8/1999, Deputy Assistant Director (DAD) Michael A. Vatis and Section Chief 
Kenneth M. Geide briefed Dr. Hamre, updating him regarding captioned matter. 



(U) As of 1/13/1999, the intruder(s) continued to attempt, and in some instance 
succeeded, in intruding into Department of Defense (DOD) computer systems. The intruder(s) 
continues to mainly operate Monday through Friday during European business hours. Notably, 
the intruders) was active on 12/25/1998, a weekday, but was not active on 1/7-8/1999, both 
weekdays and Orthodox Christmas holidays in Russia. 


(S/NF) On 1/13/1999, DAD Vatis hosted a meeting with senior representatives from the 
agencies involved in captioned matter (as victims and/or investigators). The principals who 
attended the meeting were: 


Major General John Campbell, Commander, JTF-CND, DOD 

Ms. Sheila Dryden, Principle Director for Security and Information Operations, Office of 
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Mr. Edward Curran, Director, Office of Counterintelligence, DOE 
Ms. Roberta Gross, Inspector General, NASA 

'J&Ml^The purpose of this meeting was to brief the status of captioned matter and to 
discuss next steps. The attendees were advised: 


Referral/Consult 


• that the NIPC is coordinating the invest igation and a nalysis of "MOONLIGHT 

MAZE" with full participation by DOD, | DOE, NASA, Department of 

Justice 

• that numerous FBI field offices are investigating this matter, collecting evidence 
(primarily transnational data) from the ever expanding number of victims 

• that the NIPC Cyber Emergency Support Team (CEST) is providing technical 
assistance to victim sites and field offices, and is conducting the technical analysis of 
the transnational logs obtained from the victim sites 
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that the NIPC is working with Army and Navy to determine the feasibility and 
desirability for setting up an electronic "honeypot" to assist in attributing the intrusions 


• that the NIPC was considering making contact^ 
assistance in resolving this investigation 
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On 1/16/1999. investigation determined that an account belonging tc 


_| During an interview of I _ by his 

supervisor, on 1/22/1 999, he adm itted to illicitly downloading files from| using his wife's 

account on 1/15/1999. 1 I stated that he did not know that | ~|was being m onitored 

when he signed onto the "it" account to obtain a copy of the hack er tools. l lonlv had the 

IP address of where the tools were located. Once signed o nto tha | system,_ 

followed the intruder's path, in an effort to locate the tools ] unable to locate the tools in 

a specific directory, subsequently began searching the intruder's directories for files and 
downloaded thre e files to h is machine in Ellicott City, Maryland. FBI Baltimore executed a 

search warrant al_residence, seizing five computers, two of which were owned by 

_employer. The systems are being examined by the Computer Analysis and Response 

Team (CART), Laboratory Division. 


(U) On 1/18/1999, the MPC was notified from the victimized | site in London 

regarding a compromise at the Brookhaven National Laboratory, located in Long Island, New 
York. Also compromised the same day was an Army network located in Vicksburg, Mississippi. 
The compromise was of a super computing center containing Cray and IBM supercomputers. 

The Army CID is determining the damage to the supercomputers. 




(U) On 2/25/1999, the FBI briefed captioned matter to key staff members of the House 


Permanent Select Co mmittee 


Representatives frorrj 
CND) also participated in these briefings. 


'or Intelligence and the Senate Select Committee for Intelligence, 
and DOD's Joint Task Force - Computer Network Defense (JTF- 



what has happened so far (Weldon says the 'electronic Pearl Harbo r 1 of which Hamre spoke last 


year has gone from if to when and the when is today)?" 
somebody at the Pentagon, "on the record about this." 


[would like to speak to 
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(U) On 2/25/1999, and again on 2/26/1999 


attempted to telephonically contact 


Douglas G. Perritt, Deputy Director, NIPC, in an effort to obtain comment reg arding comments 
attributed to Representative Weldon. Perritt has not responded to | telephone calls. 


(XJ) On 3/1/1999, Defense Week published an article "Hamre to Hill: 'We're.in a 
Cyberwar'," a copy of which is attached, concerning Dr. Harare's testimony. The article does not 
mention the Russian connection, but otherwise captures the gist of Dr. Harare's testimonv. 
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(U) On 3/4/1999, ABC Nightly News and the ABCNEWS.com web site aired a story 
"Target Pentagon: Cyber-Attack Mounted Through Russia." This report apparently stems from 
the earlier report, on 3/1/1999, by Defense Week, concerning Deputy Secretary of Defense John 
Hamre's testimony on "MOONLIGHT MAZE" before the House National Security Committee 
and the Research and Development Sub-Committee. Other related articles which have also been 
posted on the web are: "US Currently Under Cyber Attack?" posted by AntiOnline on 3/4/1999; 
"Pentagon and Hackers in 'Cyberwar'," posted by MSNBC on 3/4/1999; "Pentagon hackers 
traced to Russia," posted by CNNInteractive on 3/5/1999; "Pentagon 'at war' with computer 
hackers," posted by CNNInteractive on 3/5/1999; and "Electronic Desert Storm," posted by 
AntiOnline on 3/5/1999. The New York Times and New York Times Online also posted two 
articles, "Computer Hackers are Stopped," and "Hacker 'Attacks' On Pentagon May Be More 
Like Espionage," posted 3/5/1999, and 3/8/1999, respectively, regarding this investigation. A 
copy of these articles are attached to this note. Reports of information attributed to interviews of 
Representative Curt Weldon, Chairman, House National Security Committee, and Deputy 
Secretary of Defense Hamre, have also been aired periodically on CNN Headline News since 
3/5/1999. The ABC story reported that "the Pentagon's military computer systems are being 
subjected too ongoing, sophisticated and organized cyber-attacks. And unlike in past attacks by 
teenage hackers, officials believe the latest series of strikes at defense networks may be a 
concerted and coordinated effort coming from abroad." Until Friday, the Defense Department 
had not publicly acknowledged this latest cyber-war. But in an interview with ABCNEWS, 
Deputy Secretary of Defense Hamre, who oversees all Pentagon computer security matters, 
confirmed the attacks have occurred over the last several months and called them 'a major 
concern.' The ABCNEWS article noted that "this is an ongoing law enforcement and 
intelligence matter. Officials believe some of the most sophisticated attacks are coming from 
Russia. Federal investigators are detecting probes and attacks on U.S. military research and 
technology systems — including the nuclear weapons laboratories run by the Department of 
Energy." 

(U) The 3/8/1999, New York Times article stated that "In recent weeks, Government 
officials involved with defense have described a new kind of'cyberwar' being fought on the 
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Internet, with unknown hackers unleashing relentless assaults on military computers." This 
article noted that"... some computer security experts stress that while the hacker activity that 
the House heard about is a potential threat, calling it an attack could be an overstatement." This 
article also noted that "The Pentagon has said that, as is the case with the vast majority of 
hacking attempts, the recent probes did not result in the penetration of any computers storing 
sensitive information." Representative Weldon is quoted as stating "We know of banks who've 
had their fire walls broken and money transferred out, and they're not going to talk about it." 
Representative Weldon noted that the private sector needs to cooperate more with the 
government "in this area." 


(U) In light of the press coverage, the consensus a mong the participating agencies was 


that we had no real choice but to go directly to 


with a request for assistance to 


investigate selected intrusion activity captured during this investigation. The NDPC, worki ng 
with the Department of Justice and other Federal Investigative Agencies. _ 


T he MMCCi. described below, prepared an operations' 


plan, which was subsequently approved. 


Ref <= 


(U) In spite of the ABC story on 3/4/1999, intrusions continued. On 3/5/1999, between 
0228 and 0906 Eastern Standard Time (EST), there were two intrusions into LLNL, one 
intrusion into Lawrence Berkeley Laboratory (LBL), and one intrusion into Argonne National 
Laboratory passing through Jefferson County Library 
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These intrusions are consistent with other intrusions associated with "MOONLIGHT 


b7E 


MAZE." These intrusions are significant in that they occurred well after the national press 
releases regarding the "MOONLIGHT MAZE." 

(U) On 3/1/1999, the MMCG was established to strengthen the focus and assessment of 
the intrusion activities related to this investigation. The MMCG is composed of forty personnel 
from the following law enforcement, intelligence and Computer Emergency Response Teams 
(CERT) organizations: JTF-CND, DISA, Department of Justice (DOJ), Department of Energy 
(DOE), National Aeronautical and Space Administration (NASA), Air Force Office of Special 
Investigations (AFOSI), Naval Criminal Investigative Service (NCIS), Defense Criminal 
Investigative Service (DCIS), US Army Criminal Investigative Divi sion (USACID), US Army 
Military Intellig ence (USAMI), Defense Intelligence Agency (DIA), Referral/Consult 

Air Force Information Warfare Center (AFIWC), Navy CERT, Army CERT, ' 


FBI Baltimore, Eurasian Section, National Security Division and the NIPC. 
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£U) On 4/2/1999, a team from the MMCG deployed to Moscow, Russia to world 


[this matter. The team returned to Washington, D.C. on 4/10/1999. Prior to departure, 
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the team OPPiiriHr'krip-fi-nrrg ftv\m TTRITTO comirlfi: r>orPr>rmo 1 ond T> ; 
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Managers, 

Concurrence regarding the investigative teams travel have been obtained from the FBI 
International Relations Branch (ERB), Legat Moscow and U.S. Ambassador Collins. 

(U) I will keep you apprised of significant developments regarding this matter. 
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